We are in the process of removing old computer accounts that are in AD, where the account password is older than 60 days (currently there's over 15,000 accounts that fall into this bucket). To get this list, I've ran this simple dsquery statement to generate a list:

dsquery computer -stalepwd 60 -limit 100000 > C:\Temp\Servers.txt

We currently have GPOs in place that require computers to use BitLocker and to store their recovery keys in AD. The problem is, of the 15,000+ computer accounts that are expired, I can't delete ones that have a BitLocker in AD for archival purposes, so I need to find a way to strip down the list. The end result that I would like is a list of computer accounts that have an expired computer account password, but no BitLocker recovery key stored in AD.

Has anyone done this before or know where to start looking to get something like this accomplished?

That should loop thru the computers w/ "stale" passwords checking for the presence of an object with a non-null attribute of "msFVE-RecoveryPassword" at the DN where each "stale" computer was found. If no objects were returned then no recovery password was present in the directory.

Joe Richards really deserves a pat on the back for his tools. They make life administering AD so much easier.

If you use oldcmp from joeware you can just tack on (msFVE-RecoveryPassword=*) as an additional filter and you won't need the dsquery step. If you look at the binenc section of his usage/help document, you can use adfind to do dynamic queries based on a time value (e.g. 60 days).
–
Brian DesmondOct 24 '09 at 19:19